Why empty in esql

Hi I have issues with my esql queries, something with the index

More than 10K entries

Then I press the Try ES|QL:

None.

If I go back the index is empty:

I have to explicitly re-select it from the index pull-down.

The time-range is the same.

If I use the devtool I can reproduce it, can't see any hidden characters in the index?

The issue is that we switched from logstash (@timestamp) to fluentbit (time), and kibana esql detects @timestamp it is being used.

We have changed the dataview to use time. (but maybe esql part cant detect this like classic)

I can do it explicitly in elastic rest api, but do not seem to work in kibana:

python .\tools\esql.py --q='FROM fido2.multi-tenant.events-test12.0* | keep time | sort time DESC | limit 10'        
20250204144002.583|INFO|C:\dist\multitenant-fullstack-test\tools\esql.py:419|query: FROM fido2.multi-tenant.events-test12.0* | keep time | sort time DESC | limit 10
                    time
2025-02-04T12:01:03.468Z
2025-02-04T12:00:35.637Z
2025-02-04T10:01:09.107Z
2025-02-04T10:00:39.450Z
2025-02-04T08:38:45.942Z
2025-02-04T08:38:02.054Z
2025-02-04T08:37:52.114Z
2025-02-04T08:37:51.827Z
2025-02-04T08:01:17.990Z
2025-02-04T08:00:40.759Z

python .\tools\esql.py --q='FROM fido2.multi-tenant.events-test12.0* | keep @timestamp | sort @timestamp DESC | limit 10'
20250204144418.645|INFO|C:\dist\multitenant-fullstack-test\tools\esql.py:419|query: FROM fido2.multi-tenant.events-test12.0* | keep @timestamp | sort @timestamp DESC | limit 10
20250204144418.736|ERROR|C:\dist\multitenant-fullstack-test\tools\esql.py:430|error or no data found


python .\tools\esql.py --q='FROM fido2.multi-tenant.events-test12.0* | keep time,@timestamp | sort @timestamp DESC | limit 10'
20250204144558.383|INFO|C:\dist\multitenant-fullstack-test\tools\esql.py:419|query: FROM fido2.multi-tenant.events-test12.0* | keep time,@timestamp | sort @timestamp DESC | limit 10
                    time
2025-01-31T22:20:53.706Z
2025-01-31T22:22:54.564Z
2025-01-31T22:19:32.621Z
2025-01-31T22:20:31.555Z
2025-01-31T22:19:17.146Z
2025-01-31T22:20:53.866Z
2025-01-31T22:19:25.054Z
2025-01-31T22:19:30.159Z
2025-01-31T22:20:31.246Z
2025-01-31T22:22:58.613Z

Could you please post some screenshots with your kibana UI alongside the ES version used?

Thanks!

Hey, ES|QL doesnt work with dataviews, so changing the timefield there won't be depicted in the ES|QL mode.

Which kibana version are you running? At 8.16 if I am not mistaken we introduced the ?_tend and ?_tstart variables. If you use them as my example below then the timepicker will use the event.ingested time field for filtering and not the @timestamp one

FROM custom-metrics-without-timestamp | WHERE event.ingested <=?_tend and event.ingested >?_tstart